In June 2020, Drizly (an online alcohol delivery service) suffered a data breach when an attacker discovered AWS credentials stored in a plaintext format in an internal GitHub repository. The credentials were accessible to all Drizly employees and had been present for two years. The attacker used these credentials to access an Amazon RDS database and exfiltrate personal data for approximately 2.5 million customers. Exposed data included names, email addresses, IP addresses, dates of birth, hashed passwords, and postal codes. The FTC subsequently took enforcement action against Drizly and its CEO James Rellas, ordering security improvements. In a notable precedent, the FTC order required Rellas personally to implement a security program at any future company he leads for 10 years — holding an individual executive accountable for the company’s security failures. This case is frequently cited in discussions of executive accountability for cybersecurity.